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I. (U)Introduction 


A. (U) The Board's Examination of Executive Order 
12333 Activities 


(U) In July 2014, the Board announced that it would review, among other matters, 
counterterrorism-related intelligence activities conducted pursuant to Executive 
Order 12333 ("E.O. 12333"). First issued in 1981 and last updated in 2008, E.O, 12333 
establishes an operational framework for 17 federal entities designated as part of the 
nation's Intelligence Community ("IC")? The executive order does not provide 
authority for any one intelligence-gathering effort, nor is there any single E.O. 12333 
surveillance "program." Nonetheless, understanding how IC elements implement 
E.O. 12333 is a critical part of understanding how they protect privacy and civil 
liberties while also protecting the nation against terrorism. 


(U) The executive order regulates the use of certain intelligence-gathering methods 
and outlines parameters under which intelligence agencies may collect and utilize 
information about United States 
persons (“USPs”). Among other things, United States Persons 
E.O. 12333 requires IC elements to р 
follow procedures approved by the (U) А “United States person" under Е.О. 12333 means 
Attorney General in order to collect, (1) “a United States citizen,” (2) "an alien known by the 

tai di iate -iit ti intelligence element concerned to be a permanent 
retain, or sseminate 1niormatioOD ideni alien,” (3) “an unincorporated association 
concerning USPs, or to use certain substantially composed of United States citizens or 
: А "RM permanent resident aliens," or (4) "a corporation 
collection methodologies within the incorporated in the United States, except for a 
United States or directed at USPs corporation directed and controlled by a foreign 
abroad.3 government or governments." E.O. 12333 8 3.5(k). 


(U) In April 2015, the Board adopted a project description memorializing its E.O. 
12333 oversight effort. The Board explained that it would select specific 
counterterrorism-related activities conducted under E.O. 12333 by the National 


" (U) Executive Order No. 12,333 (hereinafter E.O. 12333). 

? (U) E.O. 12333 was signed on December 4, 1981. It was amended in 2004 by Executive Order 13355 
to facilitate “strengthened management of the Intelligence Community." E.O. 12333 was again 
amended in 2008 by Executive Order 13470 to strengthen the role of the Director of National 
Intelligence and permit the sharing of signals intelligence under certain conditions. 


3 (U) Е.О. 12333 88 2.3-2.4. 
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Security Agency (“NSA”) and Central Intelligence Agency (“CIA”), and would conduct 
in-depth examinations of those activities. The Board also stated that it would issue a 
public report on the legal framework that governs the collection, use, retention, and 
dissemination of information concerning USPs.4 In November 2015, the Board 
approved a project description for NSA review. That project description focused the 
Board's efforts on an NSA activity conducted using the Agency's processing and 
discovery system known as XKEYSCORE. Throughout 2016, Board staff prepared 
draft documents and ultimately created an interim statement of facts and 
recommendations. By the time this was complete, the Board had become inquorate, 
and the report could not be finalized. Nonetheless, the interim statement of facts and 
the recommendations were shared with NSA to confirm their accuracy.5 In turn, NSA 
shared the interim statement of facts with the Department of Justice. 


(U) When the sub-quorum period ended in late 2018, the Board began reviewing 
work done previously and sought to bring pending projects to an appropriate 
conclusion. In early 2019, the Board renewed its efforts to complete the report on 
XKEYSCORE. 


B. (U) Focus and Purpose of This Report 


(8/7 REE-FO-USA-FAXEX) The focus of this report is XKEYSCORE as used to 
support NSA's Е.О. 12333 signals intelligence (“SIGINT”) mission.° 


4 (U) “PCLOB Examination of Е.О. 12333 Activities in 2015, available at 
https://www.pclob.gov/library/20150408-EO12333 Project. Description.pdf. 


5 (ТӘ RE EQ- Ee -EXEN These included recommendations to harmonize the governing 
policy documents with existing privacy-protective practices, and to track and minimize how much US 
person information XKEYSCORE processes. NSA did not formally adopt any of these 
recommendations, and the Board reiterates some of them below. 


5 (U) According to NSA, SIGINT comprises communications intelligence, electronic intelligence, and 
foreign instrumentation signals intelligence, either individually or in combination. Communications 
intelligence ("COMINT") is defined as “technical and intelligence information derived from foreign 
communications by other than the intended recipients” and “the collection and processing of foreign 
communications passed by radio, wire, or other electromagnetic means.” See NSCID 6 § 4(b). See also 
NSA/CSS Policy 1-23. 
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CES HSH REE -FO-8SA-EHEE) As 
described in more detail below, 
XKEYSCORE is a processing and ae te бе "m 
discovery system used with NSA's (0) SIGINT is, mélliggitee асДуса from electrfinte 


P R b sjpguitls and * systems« such fas communicaljons 
collection architecture. XKEYSCORE is, » “networks, Кинг, anj*weapong Systems. It inchetles 


a tool commahicdtions between pgople and еее“, 
signals, that are пој directly uséd*in communications, * 
and such fs automatgd machine-to-mpchine data flow" 
not a discrete intelligence “program,”* ,* j^ ye etos 
XKEYSCORE’s capabilities are diverse and powerfyl, but, at a high level, XKXEYSGORE- 


traffic acquired pursuant to E.Q. 123337 In: the 
counterterrorism context, NSA’ uses XKEYSCORE for identifyifig ‘new terrorism- 
related targets and selectors, methods of communications used. by terrorists 


. . " - . 


. 
. > s LI 


(SSE REE PO-USk- PHEW X KEYSCORE's technical capabilities are broad: NSA 
uses these capabilities in a number of different ways, for Бош counterterrorism 
activities and other foreign intelligence objectives, such as gathering foreign military 
and political information and identifying the activities of foreign infelligence services.® 
Given the diversity of XKEYSCORE’s capabilities, the Board focused on aspects that 
are uniquely powerful and ‘most directly implicate USP privacy.and' civil liberties. 


analysts access and index that data. Accordingly, this. report does по 
comprehensively examine, all aspects of XKEYSCORE’s capabilitios.9 


. » = 
. è . 
. 


и HEY) NSA refers to this ыыы _——— 18: 
typically by way of signals intelligence collection. . E 


8( = The Board has focused on the use of XKEYSCORE for counterterrorisnt 
purposes. Howeyer, XKEYSCORE is used in the same way, or similar ways, for other "foreign. 
intelligence activities. Thus, the Board believes this report is applicable to a range of NSA a«tivities 
utilizing XKEYSCORE—not just those aspects relating to counterterrorism. A 5 


) For example, the capabilities in XKEYSCORE allow for 


But these capabilities were not part of the Board’s examination because they do not raise novel 
privacy and civil liberties questions in the same way that XKEYSCORE's search-and-discovery 
capabilities do. For more on how the Board focused its examination, see the criteria outlined in the 
Board's announcement of its E.O. 12333 investigations. "PCLOB Examination of E.O. 12333 Activities 
in 2015," available at https://www.pclob.gov/library/20150408-EO12333 Project Description.pdf. 
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REE TOUSA YEY) This report examines these aspects of XKEYSCORE in 
light of the privacy and civil liberties implications they raise,for USPs. The Board 
believes this report will advance the understanding for. appropriately ‘cleared 
individuals of XKEYSCORE's critical capabilities and their impact on privacy and civil 
liberties. In addition, the Board offers recommendations-for how NSA arid other 
entities can responsibly balance mission needs against U. S» persons" privacy and civil 
liberties as XKEYSCORE and the broader банова environment evolve.: 


C. (U) Methodology 


(U//EOUO) The Board's initial oversight was тже by briefings ара other 
discussions between NSA and Board Members and staff between May 2015 and 
November 2016. The Board reviewed guidance and training provided;to NSA ; 
personnel, oversight and compliance mechanisms, and the relationship ‘between ; 
XKEYSCORE and NSA's E.O. 12333 implementing procedures. The Bdard also : 
received relevant documents from NSA, including policies, training materials, 
manuals, and handbooks. After the Board regained a quorum, the Board reengaged 5 
with NSA and received additional briefings, demonstrations, and information. The : 
Board worked with NSA to reconfirm the validity of facts and briefings that were : 
provided in the 2015 timeframe. н : 


Section II starts by describing technical concepts related to the: 
internet in general, then gives an overview of XKEYSCORE. These technica] concepts; 


Section III starts with 
that determines what data goes into XKEYSCORE. Then it provides a deeper look at 
XKEYSCORE as a processing and discovery system. Section IV describes NSA's 
explanations of its authorities and legal limitations. Section V makes 
recommendations to NSA. 
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A. (U) The Internet 


(U) When browsing the internet—say, going to Google to look up a fact or Netflix 
to watch a show—many take for granted that they can type in www.google.com or 
www.netflix.com, the page will appear, and soon thereafter the facts or show they were 
intending to browse will also appear. This sequence of events happens so quickly that 
one may assume that the processes underlying it are straightforward. They are not. 


(U) When a user enters the name of a website (i.e., the URL) into a browser, the 
computer does not initially know how to contact that website. Indeed, it does not 
know what “Wikipedia” or “Netflix” or “Google” is, never mind how to connect to it. 
To view a website, the address, like www.google.com, is first translated into a numeric 
internet protocol (“IP”) address—a series of decimal or hexadecimal numbers that 
corresponds to the server providing the webpage.'? Information the user is sending, 
such as a request for a website, is then sent in “packets,” which are pieces of digital 
communications (web page requests, emails, internet-based telephony, etc.) that 
contain both the user’s IP address as well as the IP address of the remote machine with 
which they are communicating. 


10 (U) These IP addresses are obtained through the “domain name system” (“DNS”). JAMES F, KUROSE 
& KEITH W. Ross, COMPUTER NETWORKING: A TOP-DOWN APPROACH § 2.4 (7th ed. 2017). The network 
graphic on page 8 is also from this textbook. 
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(U) When files are transmitted across the internet, they are broken into chunks, called 
packets, whieh are individually routed to the final destination and reassembled when they get 
there. 


(U) 


(U) Similarly, even when the user’s computer knows the IP address to which the 
packets should go, it generally does not know how to get the packets there. Instead, 
the packets are sent to a piece of hardware—a router—which contains more 
information on where to direct packets based on their destination IP, Often, there is 
another router. Thus, a commercial router may not direct an office’s internal packets 
to their destination, but rather direct traffic to and from the broader internet to a 
router belonging to an internet service provider (ISP). In turn, that router will check 
to see if it knows where to route the packets and will continue the process. For 
example, the ISP may not be able to fully route the packets because it is not connected 
to the final destination; the ISP instead will direct them to another router it believes 
is closer to the destination and will know how to route the packets—say that of a 
different ISP. That ISP, in turn, may know that the IP address belongs to a commercial 
enterprise it services, and direct the packets to that router. That router will know the 
specific device to communicate with, and deliver the packets to their final destination. 
This process would be repeated in the reverse direction as packets are sent back. 
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(U) The path that packets take to travel between destinations need not be tightly 
correlated to the locations of the participants. In an attempt to communicate online 
with a person in the same city, it is possible the packets would travel hundreds or 
thousands of miles away before returning. It generally makes sense to limit needless 
data movement, but the router that knows how to find a neighbor may not be in that 
neighborhood, or even in that city. Moreover, routing decisions are based, in part, on 
the agreements companies make with each other and the cost of moving that data. 
Thus, even if there is a fairly direct connection between two systems, an ISP may 
determine it is more cost effective to use a different router in a different location to 
direct the data. 


(U) Movement along these routes generally occurs through physical cables. This 
is true for most of a packet's travel, even if a user is connected to the internet via a 
wireless or a cellular connection. This is because in most cases, as noted above, when 
a smartphone or laptop user is browsing the internet, their device is not connected 
directly to the server hosting that internet content. Rather, the user's device is first 
connected, via wireless internet or a cellular connection, to a piece of hardware located 
nearby, often a home or business router. However, a physical cable often connects 
that router to a broader network, such as one owned by an ISP. These are, in turn, 
generally connected to other networks via physical cables. Thus, the communications 
between two people on laptops, both connected wirelessly to the internet, are 
extremely likely to pass through a series of physical cables. 
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(U) The paths taken by packets sent from address A to address B may vary over 
time, even from minute to minute, and the path taken from A to B may not be the exact 
reverse of the path from B to A. Network routes can and do change in real time to route 
around network failures or traffic congestion. 


(U) Today, the world is crisscrossed with those cables, which are responsible for 
carrying the vast majority of digital communications. This includes undersea cables, 
often operated by private companies that engage in agreements with peers and service 
providers for the transmission of communications worldwide." It also includes cables 
running to homes, schools, and businesses. The physical cables around the world thus 
move huge volumes of data: data destined to or from people who may live or work by 
one of those cable’s terminal points and, potentially, data to or from people in other 
parts of the world, who have their data routed through the cable as one of many steps 
on a longer path. 


(U) 


SUBMARINE CABLES IN ASIA ) 


(U) 


(U) As the need to pass this digital information has increased, so too has the 
bandwidth (a measure of the capacity of data transfer) of these cables. Modern cables 


u (U) See, e.g., Undersea Cables Transport 99 Percent of International Data, Newsweek (Apr. 2, 2015), 
available at www.newsweek.com/undersea-cables-transport-99-percent-international- 


mmunications-319072. 
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now use fiber optics to transmit digital information. To maximize the amount of data 
that can be transferred, a cable may bundle together multiple fibers. Each of those 
fibers is actually capable of carrying multiple communications simultaneously as 
distinct wavelengths, each referred to as a “communications link.” 


(U) This means the cables carrying web browsing, Netflix shows, email 
communications, or voice traffic are neither directly between a user and, say, Netflix, 
nor are they exclusively the user's. Someone's packets may be passing through cables 
hundreds of miles away alongside the emails or Netflix queue of a stranger they have 
never met. This process is largely invisible, almost instantaneous, and, for most 
internet users, completely unnecessary to understand. 


B. (U) NSA Activities 


< intelligence-gathering mission. That mission is guided by intelligence requirements 
Ч set by policymakers to inform US government objectives, including counterterrorism. 


z рати for PCLOB, Slide 15 (May 27, 2015). 
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(U) None of that is XKEYSCORE, the subject of the Board’s review and this report. 
XKEYSCORE begins with what NSA does next. 
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III. (U) XKEYSCORE in Depth » 
A. (€/7REE-FO-ES*-FVEY) Determining What раш 
Goes into XKEYSCORE 4 s 
EA M 
(T8/75EREL-EG-SEA-EMEY) The activities we have reviewed involve the use bÈ 
XKEYSCORE as a data analysis tool rather than a data collection system. Therefore, 


TE 
М, 


before NSA uses XKEYSCORE, it must decide what data to-collect and send to 
(9050. а аА] 


'8 (U//EG333 PCLOB Notes гога May 27, 2015 and July 23, 2015 NSA Briefings (with accuracy edits 
from NSA). 
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PO o МАїпеѕ to focus. 
its collection on| ——  ,: ^ [that will provide the greatest amount: of- 
foreign intelligence on the'most pressing intelligence ргіфгійеѕ.22 . 


|__| How NSA prioritizes foreign intelligence, and de facto deprioritizes USP dnd 
valueless data, evolves continually. But the goal іѕ always to target and increase; its? 


. 
Pas "an “as "un “ae “on Ван "un o 


20 (U//EKQ3) NSA Briefing оп XKEYSCORE (Feb. 7, 2019). 
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collection of foreign intelligence and decrease its соЛееНот of реги” data.23- 
2015, when the Board began its XKEYSCORE review, NSA used 
wher 


T | exclude superfluous data.?4 As of 2020, 
Board requested update information, L ba 


become less common. Now, NSA uses improved to priorititd 
retention of foreign intelligence traffic and delete unknown and superfluous traffip ksh 
For example, 


" 
m 

эз (REE FOH SAFVET) The Board understands “superfluous” data to mean valueless. USP orf 
non-foreign intelligence) traffic. n 
i 


response to notes from and survey and Е s A ге: Initial’ : 
Answers to 2019 Tranche One PCLOB Questions (July 9, 2019). 
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2. (U//FO€9) XKEYSCORE Processing and 
Indexing (5) (1) 
(b) (3) -P.L. 86-36 (b) (3)-18 USC 798 
(b) (5) (b) (3)-50 USC 3024(i) 
(b) (3)-P.L. 86-36 
А (b) (5) 
миро 
of XKEYS „р.4. * 
"„ 
34 (U//B@BO) NSA briefing on XKEYSCORE and Processing (July 23, 2015; follow-up briefing on Aug. - 
4, 2015). ња 


"ч 


35 (ӨНӘ ЖЕЕ-ФӨ-ӨӨА;-Р ЕЕ) NSA response to notes from XKEYSCORE and survey and access: ps. 
briefings; see also NSA Legal Analysis of XKEYSCORE at n. 9 


36 (9NF) See NSA Legal Analysis of XKEYSCORE, pp.9-10 


37 (0/5059) Call with NSA re: Initial Answers to 2019 Tranche One PCLOB Questions (July 9, 2019). 


зв (U//FG8O) NSA Briefings and Demonstrations for the Board re: XKEYSCORE (Apr. 5, 2019). 
3» (U) NSA Answers to PCLOB Questions (Aug. 6, 2019). 
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41 (0//ЕӘЫӘ) NSA response to notes from XKEYSCORE and survey and access briefings. 
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аз (U//#@80) NSA response to notes from XKEYSCORE and survey and access briefings. 


44 (U//KQIJQ) NSA response to notes from XKEYSCORE and survey and access briefings. 
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survey and access briefings. 
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47 (U//#@8@) NSA response to notes from XKEYSCORE and survey and access briefings. 
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зо (U//FOUOT NSA response to notes from XKEYSCORE and survey and access briefings. 
51 (U/ ROBE) NSA response to notes from XKEYSCORE and survey and access briefings. 
5: (U//EQUQ) NSA response to notes from XKEYSCORE and survey and access briefings. 
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> ) Imagine you are researching the Constitutional Convention, so 
you go to the library to find books about James Madison's role. You know that there are many 
books about the Constitution and about James Madison; you only want books that concern both. 


At the library, you consult the card catalog. It has one card for every book in the library. Each card 
lists certain attributes of its corresponding book: the date, the author, the publisher, its subjects. 
To find the books you want in this library, you search for cards that list both James Madison and 
the Constitution as subjects. When you find cards that fit those criteria, you read the corresponding 


books. 


53 (U П þandbook, p. 8 (2013). 


54 (П//БӘШӘ) NSA response to PCLOB draft, October 2020. 
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analysts use XKEYSCORE 


(b) (3 


7 
55 (U//FO9O) The decision to run queries in XKEYSCORE is a human one. While an analyst may set" 
- — to run — times, — decide what to look for, I - F ј 


55 (0/6 NSA response to notes from XKEYSCORE and survey and access briefings. 


57 (U//F@¥O) NSA response to notes from XKEYSCORE and survey and access briefings. 
58 (Џ/ ОЈО) NSA response to notes from XKEYSCORE and survey and access briefings. 
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NSA analysts are trained to start with the 


narrowest and most tailored queries they can 


(b) (3)-P.L. 86-36 


59 (U//FG89) NSA Answers to 2019 Tranche One PCLOB Questions (July 12, 2019). 


Ll 


в (U//EGIQ) NSA Briefings and Demonstrations for the Board re: XKEYSCORE (Apr. 5, 2019). 
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SESE REE-FO-GSACTYEY) 


(Fi eL ЕС ЕЛАС ЕВА) The image above shows a portion of the query form an anatyst would 
use when searching] The top of the image shows the basic information 4hat must 
be filled in, including the name of the query and the justification for running it. The bottom part of the 
image shows where Ап analyst would set parameters for their query. In this image, the analystwould be 
creating a query 
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C. (U) Operational Value ў 


ISI] REL-FO-USALEXEX) NSA analysts query XKEYSCORE primarily for. 


target discovery and development. 


(09755955899) NSA provided the Board with two historical examples that illustrate 
how XKEYSCORE has been used to advance the agency's counterterrorism mission.°7 


(b) (3) -P.L. 86-36 
Li 
г 
+ 
“ 
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66 (U//BQWQ) NSA Briefings and Demonstrations for the Board ге: XKEYSCORE (Apr. 5, 2019). 
57 (U/ F989) NSA staff briefing to the Board on XKEYSCORE and Processing (July 23, 2015). 
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D. (U) Compliance Measures (b) (3)-18 USC 798 
(b) (3)-50 USC 3024(i) 


(b) (3)-P.L. 86-36 


1. (U) Auditing \ 


(SUSI REL-TO-USx,-F¥EY) NSA analysts’ use of SCORE is subject to an 
extensive audit process. Notably, just as is not part of XKEYSCORE, 


NSA’s auditing capabilities are not part of XKEYSCORE. However, given how 
embedded the auditing process is within XKEYSCORE, it is difficult to understand one 


(8/7737/7REE—FO—HUSA—FVEYX) Analysts must justify, every' query run in 
XKEYSCORE. The queries, along with those justifications, then go through NSA's* 


auditing process, with NSA policy réquiring that all queries be audited within| 

The core of this process are NSA employees who function as 
auditors. An auditor must be a US civilian or military NSA employee who (a) has 
completed all required compliance training and has the required access, (b) is working 
in the relevant SIGINT mission, and (c) is familiar with the targets and types of queries 
executed within the SIGINT mission by NSA personnel. To increase the efficacy of the 
reviews, auditors are required to understand the complexities of the queries that they 
review. 


(SASH REL-FO-USA,-E-EY) To implement this auditing requirement, NSA relies 
on a tool called LEGALEAGLE. LEGALEAGLE allows auditors to see the queries run 


in their mission area, look at queries by specific users, or flag queries for additional 
review. The auditors are reviewing the queries themselves for intent and 
compliance; they do not see the results of those queries.7° 


58 (U) Phone call between NSA staff and PCLOB staff regarding NSA Deep Dive Follow-up Questions 
(Aug. 26, 2016). 


69 (0//=ӨӨЭ NSA Briefings and Demonstrations for the Board ге: XKEYSCORE (Арг. 5, 2019). 


70 (U//#@WS) Notes from July 23, 2015 NSA Briefing on XKEYSCORE and Processing, with August 4 
Follow-up Briefing at p. 28. 
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(Sy SE REL-FO—G St EES Not all XKEYSCORE queries carry the same : 
compliance and privacy risks. For this геаѕоџ, NSA has created systems to estimate ' 
the risk carried by each query. For example 


Ti When auditors review pU they are able 


to access key components of XKEYSCORE, directly from their 


auditing platform. 
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(РЕКА) 
2: (0) Training and Access Limitations 


(U//£GU9) NSA has oversight and compliance measures at nearly every stage of 
XKEYSCORE activity, from training to initial access to queries to an analyst's decision 
to disseminate a report. These measures are a combination of human review and 
automated systems designed to enforce compliance. NSA develops increasingly 
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ae 23 (b) (3) -P.L. 86-36 
.. s 


complex technologies - to" а арно oversight E compliance measures, such as 
o label queries as high- or lw: Tk. A 5 


(U//FECSO) With respect to training, NSA raquires that all personnel with the - 
ability to review raw SIGINT data must complete online training and tompetency " 
testing prior to accessing data in XKEYSCQRE.72+ “Mandatory training coutses address * 
topics such as USSID-18 provisions, the definition of USP information, jntelligence : 
oversight, SIGINT authorities, and legal-tequirerments for SIGINT activi(ies.73 Some " 
of these mandatory trainings are required for all NSA personnel, such as tlie NSA/CSS : 
Intelligence Oversight Training; others,such as the NSA Raw Traffic Databiase Auditor : 
Training, are limited to specific groups. 74 Е Н а 


1 
СЕА ВО E EES) There ate albo optional, XKEYSCORE-specific * . 
trainings./^ While these trainings: are not тапйаїогу, NSA reports that they are : 
completed by almost all new users of XKEYSGORE. 76 The trainings provide an: 
overview of how XKEYSCORE works and how analysts can use 1.77 They also cover : 


more advanced analytic applications, including Trainings * 
also reference compliance reqfirements./5 For example, a training course instructs 
analysts to destroy USP comniünications as sgontas feasible, manne 
Ы; X 
ws * 


am 1 
7 (U//FG'89) NSA Briefings and Bemonstrations for the Beard re: XKEYSCORE (Apr. 5, 2019). 
72 (U) The mandatory trainings аге not specific to XKEYSCORE. 


73 (U//BQWO) Trainings inchide: OVSC 1000 NSA/GSS Iitelligence Oversight Training; OVSC 1100 
Overview of Signals Intelligence (SIGINT) Authorities; DVSC 1800 USSID SPoo18 Training for 
Analytic Personnel; OVSC.2201 SID Intelligence Oversight Officer Training; OVSC 3101 NSA Raw 
Traffic Database Auditor Training; PRIV1001 Annual Privacy Awareness Training; and PRIV1002 
Privacy Training for Managers/Supervisors. Б 

74 (U) Notes from July 23,2015 NSA Briefing on хкдзофа and Processing and August 4 Follow-up 
Briefing, at p. 17. .. 
i ево 
LL = 


76 (U) Phone call between NSA staff and PCLOB staff regarding NSA Deep Dive Follow-up Questions 


(Aug. 26, 2016). . ë 1 
7 (U 
78 (U//Fe'86 
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(U//FG89) NSA's training takes various forms. Certain traditional NSA training, 
such as those concerning NSA authorities under E.O. 12333, must be completed 
annually. NSA's required annual training is often text or video followed by a test that 
must be completed with a certain score. However, other NSA training is less 
traditional. For example, NSA has built a “gamification” system into XKXEYSCORE's 
interface. Users gain “points” and “levels” by learning how to use progressively more 
advanced features of XKEYSCORE’s analytic interface. 


(U//FGUO) If an analyst has not completed the mandatory trainings, he or she will 
not receive the credential needed to access XKEYSCORE data—though completion of 
training is insufficient to gain access. An NSA system called enforces 
training and other access limitations. Prior to accessing XKEYSCORE, NSA personnel 
must have completed mandatory training and be assigned to a mission in the 

system. That is, the NSA analyst would need to have a job (which 
would have one би" more “missions”) that required access to XKEYSCORE data. 
Moreover, each authorized mission'must have at least two auditors assigned to it. Any 
time a user attempts to access ХКЕҮЅСОКЕ[ 7... |ропбттѕ there are still at 


". 


least two valid auditors.8° 
(b) (3)-P.L. 86-36 


vr : 


ACCESSING ХКЕУЧСОВИ“ )-— 


СӘНӘ) If an analyst works in the Operations, Pijedtóraie and her duties require access to raw » 
SIGINT data via XKEYSCORE, she must meet,certaifi requirements to gain áccess—it's hot enough to “ 
be an NSA employee. One of these requiri ents is an atithorized mission: a focus area approved by * 
the Director of the NSA via the Operation$ Directos." For example, an authorized mission could be Я 
NSA reeords authorized missions їп ithin * 
| ln’ addition ta, describing the mission (here, А 
also lists the people who will perform certain roles (oversight, access “ 
sponsor, mission owner), provides the entitlements the mission requires (legal authorities, clearances, + 
tools, data sources, etc.), and lists фе members of the mission (the people who perform the jobs to “ 
accomplish the mission). a d , 


‚* 


А E 


———————— * 


Tr— —— 


во (U//#@8O) NSA Briefings and Demonstrations for the Board ге: XKEYSCORE (Apr. 5, 2019). For 
additional information on auditing, see Part III (D). 
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Жи а (р) (3)-50 USC 3024 (i) 
3. (U) Limitations on Data Use (b) (3)-P.L. 86-36 


(C//REL-FO-USA-FYEY) Part of what makes XKEYSCORE: valüable is NSA's 
ability to parse and use the data. As explained at greater length above, NSA does 
extensive processing to enable users tp.accéss ‘information, they are looking for and 

that could reveal targets or activities of foreign 
intelligence interest. This power comes with limitations though, primarily derived 
from the classified annex to Department of Defense Procedures Under Executive 
Order 12333 and United States Signals Intelligence Directive 18 "Legal Compliance 
and U.S. Persons Minimization Procedures" ("USSID-18"). NSA has explained that 
one of the most significant protections is that users are, generally speaking, unable to 
query on US persons. There are WHEN ARE USP 
exceptions to this rule*'—for ‘example if QUERIES DONE? 
someone consents or NSA has obtained 
approval from the Attorney General.82 e (U) Consent: NSA can conduct USP 
But NSA has ехрите d that the volume queries when it has consent, generally 


26 


from their own employees or those of 


of USP queries is exceedingly low—less other government agencies who may be 
than[ — in September 2019. going into harm’s way. NSA also uses 
consent as the basis to query for USP 
hostages, hoping they may find 
: (S// REIFO-UBA PET) Moreover раа аа to their ман, 
in running queries, analysts are required e (U) Probable Cause: NSA can conduct 
to provide a written justification of the USP queries when it has obtained a 
intended foreign intelligence purpose for probable cause order allowing electronic 
h sa Ав dise d above. all of surveillance of a USP (typically an order 
the query. usse ve, from the FISA court). 
these justifications, as well as the • (0) Attorney General Approval: NSA can 
underlying query terms, are audited.84 conduct USP queries when it has obtained 
These audits confirm that queries were Attorney General approval, which it 
Г j sometimes does in addition to getting a 
properly tailored as well as consistent probable cause order. 


в (U//R9U) USSID 5Р0018, 8 4.1(d). 


82 (Џ// ЕВН) NSA response to notes from XKEYSCORE and survey and access briefings. The ability 
for the Attorney General to approve these queries ultimately derives from E.O. 12333 82.5. However, 
the Board understands that, since the passage of the FISA Amendments Act in 2008, NSA has obtained 
authorizations from the FISA court or pertinent emergency provisions within that statute. Thus, the 
Board is not aware of any subsequent instances where NSA has relied solely on the authorities in E.O. 


12333 8 2.5. 


зз (U//FG8O* NSA response to notes from XKEYSCORE and survey and access briefings. See 
"Oversight and Compliance,” Part III (D), for a discussion of the auditing process. 


84 (U) For more information on the approval and auditing process, see Part ТИ (D). 
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with legal and policy limitations. For example, ХКЕҮЅСОКЕ queries must be baged 
on a foreign intelligence information need and must make ‘attenipts to limit US 


collection from the results.85 aat U^ ЛЕ is 


. . . [ 


(S77 REE-PO-ESAc-FVEY) NSA also audis ta Ба БУУ protections that 
limit retention and dissemination, of information obtained through XKEYSCORE. In 


order for an NSA analyst to usè information found'in XKEYSCORE, the analyst must 
a human choice thats does not happert, 
automatically. When making such a determination, NSA analysts provide a foreign’ 
inielligenpetiutification| те 
86 Moreover, when information | сос е Attorney General 
Guidelines and NSA policies govern, its handling. Pertinent here i is Section 309 of the 
Intelligence Authorization Act of 2015 and USSID-18 § 6, governing the retention of 
communications to, from, or about US persons. - -XKEYSCORE-obtained information 
must still comport with the access restrictions as well as 

limits on retention found in that section.87 " . 3 


(S/7SI//REL—PO—BSA—FVEX) Under USSID-18, oc 


that data can be stored for five years, 
although in practice it may be shorter due to storage space. "limitations. This data is 
tagged and regularly, automatically checked to ensure that it is deleted from NSA 
repositories if it is the subject of a compliance issue or retention limits. XKKEYSCORE 
data can only be stored indefinitely when an analyst has evaluated and minimized it, 
or when NSA reporting relies on the data. . 


(Sj; REE-FO-BS4-EXEV) When USP information is used in an intelligence report, 
there are further restrictions. Pursuant to NSA’s minimization procedures, NSA may 
not disseminate non-publicly available information of -or concerning a US person 


function, not because of a legal or policy requirement. While analysts provide a foreign sith de 
justification, it is not checked by РА ек and is only done for the benefit of the analyst. NSA Briefing 
on XKEYSCORE (Feb. 7, 2019 and July 23, 2020). 


87 (U//E989) NSA Answers to 2019 Tranche One PCLOB Questions (July 12, 2019). 


TOPRSECORET/Z/SEZNOFORM- 
39 


Doc Ref ID: A6724633 


CTOT-SECRET77SI77 NOFORN- 


Doc ID: 6833923 


absent that person's consent, unless a determination is made that such information is 
necessary to understand or access foreign intelligence. Even then, as a matter of policy, 


NSA generally does not include the 
names of US persons in their 
intelligence reports. Instead, they 
*mask" the names, using a generic 
term such as ^US person 1."88 This 
is because often only a subset of the 
recipients of the intelligence report 
need to know the USP information 
to perform their duties. NSA also 
provides its analysts with 
comprehensive guidance on how to 


Masking and unmasking 


(U) Generally speaking, pursuant to NSA’s 
minimization procedures, a US person identity 
may be disseminated only if it is necessary to 
understand or assess the foreign intelligence. 
Even then, NSA will “mask” the identity in the 
report by replacing a name or other unique 
identifier with text like “US Person 1.” 


(U) If an identity has been masked, but an 
authorized recipient of the report feels that they 
need the information to carry out their duties, 


properly reference masked US 
person identities in reporting. This 
guidance emphasizes the need to 
avoid contextual identification, 
which occurs if the identity of a US 
person is masked, but there are 
enough other pertinent details that a recipient can identify the US person anyway. 


they can request NSA to unmask the identity. If 
that request is approved by the NSA director or 
a designee, the other entity would be provided 
with the unmasked US person identity. 


(S REE-FO-USA-FYE¥) If another agency then wants to know the identity of the 
US person, that requires written documentation and approval. Among other things, 
NSA requires “a fact-based justification” of why each individual who will receive the 
US person identity needs it to carry out their duties.9? This request for “unmasking” 
can only be approved by the NSA Director or а designee.9^ 


SHSELREL—FO—USA—EE¥) In limited circumstances, NSA analysts may 
proactively identify a US person by name, title, or context in a report. For instance, 
NSA policy permits identifying certain senior US officials by title in a report. 
Additionally, there may be a “blanket dissemination authority” for a US person 


вв (U) See generally, NSA Policy 2-4, Handling of Requests. for Release of US Identities, May 10, 2019. 


89 (U) NATIONAL SECURITY AGENCY, HANDLING OF REQUESTS FOR RELEASE OF U.S. IDENTITIES, NSA/CSS 
Policy 2-4 (May 10, 2019). NSA policy allows for oral requests in exigent circumstances. However, the 
requesting entity must provide their basis using the traditional process within five days of the identity 
being disclosed. 


90 (U) NATIONAL SECURITY AGENCY, HANDLING OF REQUESTS FOR RELEASE OF U.S. IDENTITIES, NSA/CSS 
Policy 2-4 (May 10, 2019). 
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identity where the appropriate officials have determined that the identity is necessary 
to understand or assess the foreign intelligence on а recuyring basis, and that all 


recipients of the reporting will require that information to perform their official duties Ы 
appens to Бе а US = 


This may be the case, for example, if 
person as well (and therefore the subject of a Section 704 order issued by the FISA 


court), Any unmasking of USP information is strictly controlled, however, and NSA's 
group reviews each instance. 2 


4. (О) Oversight "a. ^d 

(U//#OU8) As a general rule, these compliance andoversight measures, including 
training requirements, handling of data, and auditing, fall to NSA's Compliance 
Group. The Compliance Group is responsible for routine oversight and compliance 
matters and supporting NSA's Intelligente Oversight Officer i inimplementing SIGINT 
compliance programs. The Compliance Group also engages in higher-level 
oversight, pu as "super audits"? where they audit the auditors, and “compliance 


(G7/FOCO) The Compliance Group conducts site alane visits, where they · 


examine the compliance measüres in place.?4 They assess procedures against existing • 
standards, confirm that safeguards are operating as intended, and recommend: 
improvements.95 When doing super audits, the Com liance Group review query terms’ 


run in XKEYSCORE. 


query—only the query itself. Finally, compliance verification includes testing of purge 


super audits do not look at the results of ап XKEYSCORE 


procedures.9° 


(0/2059) The Compliance Group is not the only entity énsuring compliance with 
law and policy. Depending on the issue, the Office of General ‘Counsel or the Inspector 


(b) (3)-P.L. 86-36 
9: (U) USSID-19 8 4.7. 


92 (U) Super auditing is the independent review of activities conducted against raw SIGINT systems, 
tools, or databases. USSID-19 8 5. 
93 (U) USSID-19 8 4.7. 
94 (U) USSID-19 8 4.7. 
95 (U) USSID-19 8 4.7. 
96 (U) USSID-19 8 4.7. 
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General may also get involved. NSA has explained that “[o]n оссаѕіор; decisions about 
particular collections will require a risk assessment and/ or’ additional specific: 
feedback relating legal and policy considerations."»7 In such ‘instances, the Office of 
General Counsel, as well as the Civil Liberties Privacy ant Transparéncy Office and: 
the Risk Management Office, would be consulted.9? | . * * 


Eerw However, when asked, NSAdiä n not provide any едни from the: . 
many years of ХККЕҮ$СОКЕ” operation in which the Office of General Counsel or the: 
Civil Liberties, Privacy and Transparency Office provided legal, policy, or risk: 
assessments on particular decisions: NSA declined to provide examples where either « 
office consulted on the selectio Further, neither - 
office has ever provided owerarching guidance on the legal, privacy, or risk: 
considerations that NSA technical personnel should use when 


97 (U) NSA Answers to PCLOB Questions (Aug. 6, 2019). 
98 (U) NSA Answers to PCLOB Questions (Aug. 6, 2019). 
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IV. (U) NSA’s Analysis of XKEYSCORE 
A. (U) Background on Е.О. 12333 


(U) The specific authority NSA cites for its XKEYSCORE activities is Executive 
Order 12333. Section 1.7(c) of that order sets out general duties and responsibilities 
of NSA, while Section 2 discusses how NSA should conduct its intelligence activities. 
Within the order, Sections 2.3 and 2.4 are the most pertinent to the protection of USPs 
in the course of the covered activities. Section 2.3 regards the collection, retention, 
and dissemination of USP information. Section 2.4 discusses collection techniques 
and requires agencies to have specialized procedures regarding their use of particular 
techniques.99 


(U) The requirement for specialized procedures leads to the most detailed 
authorities for NSA activities: Attorney General-approved guidelines for engaging in 
specified intelligence activities. As a component within the Department of Defense 
(DoD), NSA is subject to the DoD’s Attorney General-approved procedures, DoD 
Manual (DoDM) 5240.01. NSA is also governed by the classified annex to 
DoDM5240.1 as well as certain supplemental procedures that аге not applicable to 
XKEYSCORE. These policies each implement E.O. 12333 at various levels of 
granularity. DoDM 5240.01 is the Attorney General-approved DoD procedure for the 
collection, retention, and dissemination of information concerning USPs as well as the 
use of various intelligence techniques. While NSA is bound by this, the classified 
annex to 5240.1-R contains the Attorney General-approved procedures specifically for 
the collection of SIGINT, and thus provides more detail on NSA-specific SIGINT 
activities. 


(U/AP@8@) In addition to the Attorney General-approved procedures, NSA has 
created internal policies and implementing documents. The foremost is United States 
Signals Intelligence Directive No. SPoo18, “Legal Compliance and U.S. Persons 
Minimization Procedures” (“USSID-18”). Naturally, implementing guidance such as 
USSID-18 is more specific than the Attorney General guidelines in defining 
permissible and impermissible activities. Thus, for NSA, questions about the 
permissibility of SIGINT activities do not start with E.O 12333 but with USSID-18, the 
classified annex to 5240.1-R, and then DoDM 5240.01. These documents implement 


99 (U) E.O. 12333. 
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Sections 2.3 and 2.4 of E.O. 12333, but do so in a way that accounts for the specific 
i activities being undertaken.1°° 
: NSA Explanation Regarding Jana 
Selection 


(U//FGU9) NSA locates its authority to run XKEYSCORE in Е.О. 12333's mandate 
that NSA "[c]ollect (including through clandestine means), process, analyze, produce, 
and disseminate signals intelligence information and data for foreign intelligence and 
counterintelligence purposes." This authority, they explain, allows them not only to 
collect known foreign intelligence signals, but also to engage in "search and 
development" operations, where NSA looks for signals containing foreign intelligence, 
though they know that in the process they may collect information that is not itself 
foreign intelligence information. This is most clearly articulated in USSID-18, annex 
E, “Search and Development Operations." However, it is rooted in E.O. 12333 and the 
classified annex to DoD's Attorney General guidelines. 


(S7 REE-EQ-US4-EXEY) XKEYSCORE collects foreign intelligence as defined in 
E.O. 12333. There, foreign intelligence is defined as "information relating to the 
capabilities, intentions, or activities of foreign governments or elements thereof, 
foreign organizations, foreign persons, or international terrorists.” The “activities 
of . . . foreign persons" is broad—there is no requirement that the foreign person be a 
terrorist or spy, nor that the activity be illegal or undertaken on behalf of a foreign 
power. However, it is not unlimited. In addition to limitations on USP collection built 
into E.O. 12333, the classified annex explains that "it is the policy of the United States 
Signals Intelligence System to collect, retain, and disseminate only foreign 
communications and military tactical communications." Moreover, it limits the 
collection of USP communications by noting that such communications “may Бе 


оо (U/AP@BO) On August 8, 2016, the Attorney General-approved DoDM 5240.01: Procedures 
Governing the Conduct of DoD Intelligence Activities and cancelled procedures 1-10 of DoD 5240.1-R: 
Procedures Governing the Activities of DoD Intelligence Components that Affect United States Persons. 
For much of the time period covered by the Board's review, the earlier DoD procedures were in effect. 
The classified annex to DoDM 5240.01-R remains in effect. After review, NSA determined that 5240.01 
did not impact the operation of XKEYSCORE. NSA Answers to PCLOB Questions, Aug. 6, 2019. 


19 (U) E.O. 12333 8 3.5(e)- 
102 (U) DoD Regulation 5240.1-R Classified Annex 8 3. 
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intercepted intentionally" only in certain circumstances, such азли the consen of 
the USP or pursuant to a court огдег.193 E р кА 

(EHREE TOUSA FYE The National Intelligence’ Priorities Framework ОЧЕ) 
contains foreign intelligence priorities that guide" the IC's,collection and апаў ёс 
activities.°4 This framework is then transjated into requirements for the varfbus 
elements of the intelligence community. NSA's specific SIGINT collection 
requirements come from the National "Signals Intelligence Committee, the group sthat 
is responsible for translating the,NIPF priorities into signals intelligence “informatio 
needs.” 


are based on an assessment of what is most likely to obtain 
foreign intelligence information responsive to the identified information needs. . .* 


(G7 RER-FO-ESA^—FVEX) Within this effort to gather information ME ori 
legitimate information needs, NSA must also “make[] every reasonable effort, through. 
surveys and technical means, to reduce to the maximum extent possible the number: 
of [USP] incidental intercepts acquired in the conduct of its operations.”1°5 aed 


103 (U) DoD Regulation 5240 -R Classified Annex § 4(1). 


104 (U) Intelligence бойийбану Directive (ICD) 204: National Intelligence Priorities Framework 8 Dit 
(Jan. 2, 2015). . 


195 (U) DoD Regulation 5240. 1-R Classified Annex 8 3. 


196 (U) Phone call between NSA staff and PCLOB staff regarding NSA Deep Dive Follow-up Questions * 
(Aug. 26, 2016). . 


197 (U) NSA noil that the 2011 Judge Bates opinion describes exceptions to this presumption. Phone * 
call between NSA staff and PCLOB staff regarding NSA Deep Dive Follow-up Questions (Aug. 26, 2016). , 


MM eese 


| merum | Phone call between NSA staff and PCLOB staff regarding NSA Deep Dive Follow-up 
uestions (Aug. 26, 2016). 
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mtt erret ern 
" 


РЕ 
.. 


(SL REL FO-USA- EVE NSA asserts that Шо јррорнаеј 
balance the imperative to'collect foreign intelligence information with the limits ой 
collection of USP information by excluding 

communications and by focusing its efforts on predefined 
intelligence priorities. In those instances where USP communications are acquired} 
NSA asserts that the collection is incidental and remains reasonable under the totality 
of the circumstances given the back-end restrictions on the use of 154 
communications. 


109 (ЖӨНӨ) NSA Briefing on XKEYSCORE (Feb. 7, 2019). As noted above, because US person: 
information is unlikely to contain the foreign intelligence NSA seeks, 


по (U) C.f. Classified Annex $4 (limiting the intentional acquisition of USP communications) and 
USSID-18 Annex E (explaining how to handle USP information obtained as part of a search and 
development operation). 
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Additional views of Chairman Adam Klein М 1 

(U) I join in full our report оп XKEYSCORE and am grateful to the staff — whose a 
diligence and expertise enabled us to successfully conclude this long-running project. I write: f 
separately to offer additional thoughts on XKEYSCORE's value and accompąhying privacy - Н 
safeguards. а 5 i 
(SAREE) First things first: There should be little doubt that XKEYSCORE is'highly effective a 
discovering forcign intelligence that can be used to protect the United States: id : 
У e 
л l 

a 


- 
EFSHSHNE) NSA has provided several vignettes demonstrating XKEYSCORE’s contribution ге“ 
specific counterterrorism successes. 


(U) Powerful tools like XKEYSCORE must be constrained by law and-policy, and these laws ја 
and policies must be enforced by effective compliance and oversight mechanisms. - 
XKEYSCORE operates within well-established legal and policy constraints, which arc enforced 
by the compliance infrastructure at NSA. 


(SHSH/REL) Some of these constraints limit the information that comes into XKEYSCORE and ^ Е 
how long it remains there: 


- 
z 


(U) Title VII of the Foreign Intelligence Surveillance Act prohibits the use of NSA’s EO = - 
12333 SIGINT infrastructure, including XKEYSCORE, to target U.S. persons for 


collection of content without probable cause, consent, or an emergency authorization E 
from the Attorney General.’ 2 


о (TSUSP/REE) 


(SHSHAREE) Other safeguards regulate how the information сапе accessed and used 

That is important. In the, 
digital era, effective intelligence is, to a significant degree, an exercise in collecting and ; 
analyzing large datasets. By virtue of the volume of traffic and the interconnected, borderless 
nature of modern telecommunications, collection on this scale will inevitably include — * 
information about Americans. Once information about Americans comes into an agency's 


! See 50 U.S.C. § 1881с. - 


(b) (1) 
1 (b) (3)-18 USC 798 


(b) (3)-50 USC 3024(i) 
(b) (3)-P.L. 86-36 
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ғ 
hands, it is the task of law, policy, technical controls, institutional safeguards, айа agency culnfre 
to limit its use. The wider the aperture for front-end collection, the more important these баск? 


end protections become. М 


Pd t 
(ат) XKEYSCORE has a wide aperture, so it is appropriate that it includes significant 
back-end protections. Most notably: “= 


е (SEE) Analysts arc prohibited from running U.S.-person queries in XKEYSCORE, 
subject to very narrow cxceptions. Analysts can run U.S.-person querics only with a 
probable-causc ordcr from the FISA Court, consent, or approval from the Attorney 
General? E 


e (SAREH) АП XKEYSCORE queries are subject to robust, technglagically advanced 
logging and auditing, which our report describes in detail. As pArtfof this system: 


o (SAREE) Analysts must provide detailed, non-formulaie justifications for each 


» o» s on lo "a" ee ee ee US 


сеат 


query. D 
о (SRE) Each query is logged; these logs include the-analyst's justification ant 
various other telltale details about the query. as = 


o (SHSHAREL) NSA's auditing system uses Сф to help identify queries 
that may be insufficiently tailored or non-complianf. Human auditors familiar: : 
with the analyst’s mission then review every query'dcemed to pose a risk of :- 
noncompliance. z R 


o (SHSHREŁ) Under NSA rules, queries based on broad criteria must be tailored to 
avoid retuming information that is not foreign imtelligence.? : 1 
е (52-Е) If an analyst's query returns information about an American, NSA policies limit 
how that information can be used, retained, and disseminated. * А 


HSHAREL) The auditing architecture, described in Part IILD.1 of our report, is noteworthy. 
The system enables meaningful scrutiny, in close to real time, and appears to be much тоге ; 
effective and comprehensive than thc post hoc site visits and manual spot checks on which sdmc 


other agencies rely. 9 256 


SNF) Our Board reviews large-scale collection programs across IC and non-IC agencies. Itis 
noteworthy that while NSA has developed sophisticated technical capabilities to log queries, to 
record query justifications, 

and to organize queties for efficient review by human auditors, systems in use at other agencies 
arc less advanced. As Recommendation 6 from thc Board's report cnvisions, NSA's audit 


нивен 


. 
. 


? (U) See Parts IILD.3 and IV.A 


3 ; * 

"SELECTION TERMS that havc resulted or are 
reasonably likely to result in the of communications to or from such persons or entities shall be 
designed to defeat, 10 the greatest extent practicable under the circumstances, the INTERCEPTION of those 


communications which do not contain FOREIGN INTELLIGENCE.”). 
' See, e.g., DoDM 5240.1 and Classified Annex; USSID-18. 
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program can offer a useful example (and perhaps some technical solutions) to other IC elements 
seeking to ensure effective oversight of their personnel’s access to large, sensitive datasets. 


(U) Of course, the adequacy of the controls we have identified depends on how effectively and 
thoroughly they are implemented, and on vigorous monitoring. The Board will monitor the 
implementation of the recommendations in this report and remain alert to significant changes in 
how XKEYSCORE is deployed going forward. 
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Separate Statement of Member Aditya Bamzai .* а 
(TS"" SNP) І join in full the Board's Report оп ХКЕҮЅСОВЕ. 1 гуе separat to 
address the legal questions raised by the capabilities described in this Report and to provide.a 1 
conceptual framework for the Fourth Amendment analysis thatthe Report recommends ihe NSA E 


undertake. The analysis that the NSA provided to the Board? to justify the legality of 
SCORE reli 


пети, a7 oN өл аз кни ци ки на за кө а кан ки ко а „в нан ки Ostaa aD ee ата 


2 (БӨЛӨК) See NSA, Legal Analysis of XKEYSCORE (Jan. 20, 2016) (“NSA Legal Analysis") (created for 
PCLOB in \тездопве to the Board's request for any legalanalyses written about XKEYSCORE). 
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1. 
(U) То start at the beginning, the Fourth Amendment provides: 


The right of the pcople to be secure in their persons, houses, papers, and effects, 
against unreasonable searches and seizures, shall not be violated, and no Warrants 
shall issue, but upon probable cause, supported by Oath or affirmation, and 
particularly describing the place to be searched, and the persons or things to bc 
scizcd.* 


By its terms, the Fourth Amendment thus contains a general prohibition on *unrcasonablc 
searches and seizures,” as well as a requirement that “Warrants” be issued only under certain 
conditions—namely *upon probable cause, supported by Oath or affirmation, and particularly 
describing thc place to be searched, and the persons or things to be scizcd." 1 will call the 
prohibition on “unrcasonable searches and seizures” thc Fourth Amendment’s “Reasonableness 
Clause,” and the provision setting forth requirements for warrants the Fourth Amendment's 
“Warrant Clause." 


(SAREE) Against this textual backdrop, two possible Fourth Amendment frameworks 
might bear on thc legality of thc collection of the type of information at issuc in the uses of 
XKEYSCORE analyzed in the Board's Report. Under the first framework, the type of 
information collected for analysis using XKEYSCORE (or the manner of its collection) might 
fall outside of Fourth Amendment protection altogether. To put this point slightly differently, 
certain activities conducted by the government, though they may qualify as “searches” and 
“seizures” colloquially understood, fall outside the scope of the Fourth Amendments 
protection—say, because they involve searches of non-U.S. persons conducted overseas." Such 
government activities might be subject to neither the Fourth Amendment’s Reasonableness 
Clausc nor its Warrant Clausc. 


(Е) Under the second framework, an exception to the Fourth Amendment’s Warrant 
Clause might apply to the type of collection at issue in the Board's Report and analyzed using 
XKEYSCORE, lcaving the Fourth Amendments "Reasonableness Clause” applicable. To put 
this point slightly differently, the type of collection at issue in the context of XKEYSCORE 
might not require a warrant under the Fourth Amendment, but might still have to satisfy the 
general prohibition against “unreasonable” searches and seizures. 


5 (U) U.S. Const, amend. IV. 

7 (U) The term "United States person” is defined in several sources of law. See Executive Order No. 12,333 § 3.5(k) 
(defining the tenn to mean “а United States citizen,” “an alien known by the intelligence element concerned to be a 
permanent resident alien,” “an unincorporated association substantially composed of United States citizens or 
permanent resident aliens,” or “a corporation incorporated in the United States, except for a corporation directed and 
controlled by a foreign government or governments”); 50 U.S.C. 4 1801(i) (defining the term to mean “a citizen of 
the United States, an alien lawfully admitted for permanent residence fin the United States], . . . an unincorporated 
association a substantial number of members of which are citizens of the United States or aliens lawfully admitted 
for permanent residence, or a corporation which is incorporated in the United States,” unless such an association or 
corporation "is a foreign power"). 
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(GAREL) In my view, it seems doubtful that all of the content collected for analysis using 
XKEYSCORE is outside Fourth Amendment protection altogether. For clarity, | nevertheless 
briefly address that possibility in Part II. It is morc likely that the collection and analysis of 
XKEYSCORE is not subject to the Warrant Clause, but is subjcct to the Reasonablencss Clause. 
I therefore address the proper framework for analyzing this issue in more detail in Part Ш. 


(SHARED) For purposcs of clarity and comprehensiveness, I will start by discussing the 
possibility that neither the Warrant Clause nor the Reasonableness Clause applies in the 
XKEYSCORE context because of the extraterritorial exception to the Fourth Amendment 
identified in United States v. Verdugo-Urquidez? As | explain below, I ultimately conclude that 
this approach is unlikely to provide a completc and satisfactory answer. 


(U) In Verdugo-Urquidez, the Supreme Court held that the Fourth Amendment docs not 
apply “to the scarch and seizure by United States agents of property that is owned by a 
nonresident alien and located in a foreign country.” The case therefore held that neither the 
Fourth Amendment’s procedures for warrants, nor the Fourth Amendment's general requirement 
of reasonableness, applied in the circumstances at issue. At the same time, the case concerned 
the warrantless search of the residence in Mexico of a citizen and resident of Mexico, who had 
been brought to the United States for prosecution." It therefore did not specifically address the 
incidental collection of any U.S. person information, nor did it address the collection within the 
United States of non-U.S.-person communications abroad. 


(FSHSHANE) In some respects, Verdugo-Urquidez did not break new ground. Six 
before the Court decided Verdugo-Urquidez in the context of physical home searches | 


86-36 


(b) (3) -P.L. 
зададе € (b) (5) 

* (U) 494 U.S. 259 (1990). 

? (U) Jd. at 261; of. United States v. Curtiss-Wright Export Corp., 299 U.S. 304, 318 (1936) (;Keither the 
Constitution nor the laws passed in pursuance of it have any force in foreign territory unless in respect of our own 
citizens.”), As the Court's opinion in Verdugo-Urquidez indicates, the Court's holding appears to be consistent with 
early practice under the Fourth Amendment with respect to the seizure of forcign yéssels in non-United States 
territory. See 494 U.S. at 267-68 (describing how, seven years after the Fourth» Ámendment's adoption, thc United 
States engaged in an “undeclared war" with France following “French interference with American commercial 
vessels," for which Congress enacted a statute authorizing the President to “instruct the commanders of the public 
armed vessels which are, or which shall be employed in the service of the United States, to subduc, seize and take 
any armed French vessel, which shall be found within the jurisdittional limits of the United States, or elsewhere, оп 
the high scas") (quoting An Act Further to Protect the Commeéree of the United States, ch. 68 5 1, 1 Stat. 578, 578 
(1798). B 


. 
. 


10 (U) See 494 U.S. at 262. * 
п (Betti 
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Reasonableness Clausc, but not thc Warrant Clause, applies to the incidenfil collection of U.S. 
person communications abroad." ВА 


(U) As а result, the application of the extraterritoriality exceptign to both the 
Reasonableness and Warrant Clauses of the Fourth Amendment under Verdugo-Urquidez 
depends on a predictive judgment of the likelihood that Fourth- Amendment- protected 
information will be collected along with information outside the soape of the Fourth 
Amendment's protections. Where such collection is unlikely, the"tàrgeting of non-Fourth- 
Amendment-protected information would be outside the scope оће Fourth Amendment's 
warrant and reasonableness requirements. Where such соПесцол is morc likely, then the 
targeting might be subject to both or, if an exception to the wgrtànt requirement is applicable, to 
the reasonableness requirement alone. XE 


(b) (1) 
8 (U) See infra Part ШВ.1. (b) (3)-P.L. 86-36 


Md (b) (5) 
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(U) I believe the same basic analysis remains«clcvant today. Some overseas searches 
and scizures of non-U.S. persons may fall outside the protections of the Fourth Amendment 
altogether under Verdugo-Urquidez. Where it is anticipated that U.S. person communications 
might be intercepted, however, the proper analysis requires application of the Fourth 
Amendment—to which I turn below. (b) (1) 


(b) (3)-P.L. 86-36 
(b) (5) 


(b) (3) -P.L. 86-36 


(b) (5) Ii. 


gTSHSWANE Because I understand that it can be,Anticipated that some U.S. person 
communications might be interoepted and then analyzéd using XKEYSCORE, it i? necessary to 
addr csi the morc comprehensivé-Fourth Amendment framework applicable to these 
circumstances. Written decadc$ a 


nature of incidental collection, (2) the extraterritorial and foreign intelligence “exceptions” to the 
Fourth Amendmént's Warrant Clause, and (3) the appropriate analysis under the Reasonableness 
Clause. I discuss the three in turn. 


(ESAME) Approaching the questior) from the vantage point of a "predictive judgment" is consistent with the 
mainstream view tlfat Fourth Amendment analysis is conducted from ап ex ате perspective, assessing “whether a 
proposed investigatory activity was reasdnable given паг the government knew at the time, rather than with the 
Benefit of hindsight.” PRIVACY AND CIVIL. LIBERTIES OVERSIGHT BOARD, REPORT ON THE GOVERNMENT'S USE OF 
THE CALI. DETAIL RECORDS PROGRAM UNDER THE USA FREEDOM ACT 41 (Feb. 2020); see also Anderson v. 


(b) (1) 
(b) (3)-18 USC 798 
(b) (3)-50 usc 3024(i) 


(b) (3)-P.L. 86-36 
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(FSHSH/REL) To the extent that ће collection analyzed in XREYSC ORE might involve 
U.S. person information, the legality of such warrantless collegtin must depend on the congept PM 
of "incidental interception. 21 Because the program "5 pur, pose is to find forci gn communications - 
tion of ti 


(U) The concept of “incidental interception” has a long hisfory in cases that involve 1 
surveillance using “hard selection"—for example, surveillance ијдег a wiretapr? In such cages. 
the “incidentally collected” communications had been sent to og'from a specific person (or - 


facility) targeted by the government. 


(U) Two recent cases arising in the context of surveiHance under Section 702 of the 
24 


Foreign Intelligence. Surveillance Act 


outside of the “pure” wirctap context. In United States v. JTasbajrami; thc Se&ond Circuit + 
described “incidental collection” as occurring upon “the Zollection of thc communications of ; 
individuals in the United States acquired in the course of the surveillance of individuals without 
ties to the United States and located abroad.” Such ijicidental collection, the Second Circuit. 
held, “is permissible under the Fourth Amendment.”” As an example, the Secgnd Circuit ! 


illustrate the contours of this doctrine and its application " 
observed that incidental collection could be premised on appropriate “targeting” —namcly, “Ще : 


2 


2 (ФАЗИ 


"3 (U) See United States v. Kahn, 415 U.S. 143 (1974); Clav, 430 F.2d at 170-72. 

H (U) 50 U.S.C. $ 1881а, The Second Circuit has recently, relying on a report of this Board, described section 702’s 
statutory scheme. See United States v. Hasbajrami, 945 F.3d 641, 650-58 (2019) (citing PRIVACY AND CIVIL 
LIBERTIES OVERSIGHT BOARD, REPORT ON THE SURVEILLANCE PROGRAM OPERATED PURSUANT то SECTION 702 
OF THE FOREIGN INTELLIGENCE SURVEILLANCE ACT (July 2, 2014) (‘PCLOB Section 702 Report")). 


35 (U) 945 F.3d 641 Qd Cir. 2019). 
2 (U) Id. at 646; see id. at 654 (“Incidental collection occurs when a non-targeted individual (a United States person 


or someone in the United States) communicates with a targeted non-United States person located abroad."). 
7 (U) Jd. at 646. The Second Circuit distinguished such “incidental collection" from “inadvertent collection," which 


it defined as collection that 
occurs when the NSA reasonably believes that it is targeting a non-United States person located 


abroad, or does not have enough information to determine whether an individual e-mail address or 
other communications facility is being used by a United States person or accessed from within the 
United States, and therefore presumes that the account is controlled by a foreigner outside the 
United States. The collection is characterized as “inadvertent” when the agency leams that the 
person controlling the account is a United States person after it has already acquired some of the 
person’s communications. In essence, inadvertent collection occurs when the NSA targets United 
States persons or individuals located within the United States in error: the agency thought il was 
targeting a foreign individual abroad, but the targeted person was in fact a United States person or 


an individual located in the United States. 
6 
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decision to surveil an individual or his or her channels of electronic communicåtions”?"—that * 
comports with the Fourth Amendment.” And the Second Circuit reasoned thatsurveillance · 
could be incidental, and permissible, even where the government expected thatit would collect 
some United States person communications.” As the Second Circuit put it, “That the overall * 
practice of surveilling foreigners abroad of interest to the legitimate purpose of gathering foreign 
intelligence information may predictably lead to the interception of communications with United 
States persons no morc invalidates that practice, or requires the government to:ceasc its 
surveillance of the target until a warrant is obtained, than the general foresecability of 
intercepting communications with previously unknown co-conspirators underrhines the 
inadvertent overhear doctrine in ordinary domestic criminal wiretapping.”*! 


(U) In United States v. Mohamud,” the Ninth Circuit held that collection of the 
communications of a U.S. person who communicated with a foreign target ^d[id] not require a 
warrant, because the search was targeted at a non-U.S. person with no Fourth Amendment 
right."? The court referred to this as the “incidental overhear” approach, borrowing from the 
familiar notion that, in the context of a traditional wiretap, “failure to identify:cvery individual 
who could be expected to be overheard” does not make the acquisition unlawful." The court 
also quoted this Board's description of incidental collection from the Board's:2014 report on 
Section 702, which also presumed a target: “The collection of communications /о and from a 


target inevitably returns communications in which non-targets are on the othér end, some of 
whom will be U.S. persons.” 


CFSHSHAREL) The question presented by XKEYSCORE is whether the same concept of 
“incidental” collection applies where 


In this respect, 


ection surveillance arguably might be understood to bear greater resemblance to the 


Id. at 656. Inadvertent collection, the Second Circuit said, “raises novel constitutional questions.” Zd. at 646. 


?* (U) Jd. at 652. Targeting has a technical meaning in the context of FISA. In this Statement, my concern is “with 
the procedures designed to protect the constitutional privacy rights of Americans and comply with the Fourth 
Amendment inside the United States and not with the obviously confidential procedures and criteria by which 


United States intelligence agencies decide which non-United States persons located abroad are appropriate objects 
of surveillance.” Zd. 


29 (U) Id, at 664. 
38 (U) Ја. at 665. 


?! (U) Id. As the Second Circuit observed, "[i|n the nature of law enforcement, there is always a possibility that the 
collection of evidence against a person who there is already probable cause to believe is involved in criminal 
activity or who is otherwise legitimately subject to surveillance will also develop information about others not 
previously reasonably suspected of wrongdoing." /d. The Second Circuit also observed that there was “по 
contention" that the surveillance “was undertaken as a pretext to collect the communications" of a U.S. person. Id. 
22 (U) 843 F.3d 420 (9th Cir. 2016). 


ЗА (U) Jd. at 439. 


34 (U) Jd. at 439 (quoting United States v. Donovan, 429 U.S. 413, 436 n.24 (1977)). 
35 (U) Id. at 440 (quoting PCLOB Section 702 Report at 82). 


(b) (1) 
(b) (3) -P.L. 86-36 
(b) (5) 


(b) (1) 
(b) (3)-18 USC 798 


Doc Ref ID: A6739552 
(b) (3)-50 USC 3024(i) 


Doc ID: 6833921 
(b) (3)-P.L. 86-36 


р 
++ - 


пий  —— — Section 70 
specific targets whose communications are intentionally collected, and various co-communicants 


whose communications are incidentally collected.*” 


|" The ingestion of some U.S.-person 
communications into XKEYSCORE may not be specifically intended, but it is a natural result of 


NSA’s approach. 


(U) Several considerations suggest that the incidental overhcar concept applics under 
these circumstances, and counsels against the Fourth Amendment requiring further “targeting.” 
First, as a conceptual matter, “[t]he ‘incidental overhear’ doctrine is closely related to the ‘plain 
view’ doctrine applied in connection with physical searches."? The “plain view” doctrine is 
applicable without further "targeting." One might arguc that, а fortiorari, the incidental 


overhear concept also docs not require targeting. 


(U) Second, several cases have made a comparable suggestion. In Hasbajrami, for 
example, Judge Lynch observed on behalf of the Second Circuit that 


law enforcement officers do not need to seek an additional warrant or probable 
cause determination to continuc surveillance when, in the course of executing a 
warrant or engaging in other lawful search activities, they come upon evidence of 
other criminal activity outside the scope of the warrant or the rationale justifying 
the scarch, or the participation of individuals not the subject of that initial warrant 


or search,” 


37 (U) To be sure, until April 2017, NSA also used Section 702 to collect messages about targeted selectors, where 
“[a] U.S. person sen{t] or reccive[d] an Intemct communication that [was] routed internationally and that include[d] 
а reference to а selector such as an email address used by a foreigner who пад) been targeted.” PCLOB Section + 


702 Report at 87; see also id. at 37-39. 


3 (U) Hashajrami, 945 F.3d at 664 n.17 (citing Coolidge v. New Hampshire, 403 U.S. 443, 456-67 (1971)). : 


*? (U) See Cooligge, 403 U.S. at 467-70. 
3l CU) 945 F.3d $t 662 (some emphasis added). The Second Circuit repeatedly adopted this formulation, strongly» 
suggesting it was a deliberate choice. See id. al 663 "The Fourth Amendment generally is not violated when law 
enforcement officers, having lawfully undertaken electronic surveillance, whether under the authority of a warrant 
or an exception 1o the warrant requirement, discover and seize either cvidence of criminal activity that they would 
not have had probable cause to search for in the first place, or the relevant conversation of an individual they did not 


(b) (1) 
(b) (3)-18 USC 798 
(b) (3)-50 USC 3024(i) 


(b) (1) 


(b) (3)-P.L. 86-36 


(b) (3)-P.L. 86-36 
(b) (5) 
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(U) Judge Lynch’s use of the clause referring to “engaging in other lawful search 
activities” suggests that the “incidental collection” concept applies whenever the government 
conducts a lawful search, not merely when it obtains a warrant. Thus, in Hasbajrami itself, the 
Second Circuit rejected the argument that the “incidental overhear” linc of cases applied solcly 
where “there was already an initial warrant supported by probable cause."? The Second Circuit 
held that “once that initial surveillance is rendered lawful by a warrant, a FISC order, or some 
other exception to the warrant requirement, an additional warrant is not necessary in order to 
collect the calls or e-mails of third partics." “The reason why the initial survcillancc was 
lawful,” the Second Circuit continued, “does not matter to this conclusion." 


(U) Likewise, in Mohannd, the Ninth Circuit acknowledged that the leading precedents 
involving application of the “incidental overhear” doctrine involved searches that “targeted 
United States citizens and took place within the United States, so a warrant was required for the 
initial search to be constitutionally permissible." The Ninth Circuit held that 


the guiding principle behind [the incidental overhear cascs] applies with equal 
force here: when surveillance is lawful in the first place—whether it is thc 
domestic surveillance of U.S. persons pursuant to a warrant, or the warrantless 
surveillance of non-U.S. persons who are abroad—the incidental interception of 
non-tergeted U.S. persons’ communications with the targeted persons is also 
lawful.* 


(U) The FISCR reached a similar conclusion in /r re Certified Question of Law," holding 
that incidental collection could be “constitutionally reasonable, even when done without a 
probable-cause warrant." In that case, the government's use of a pen register—subject to a pen 
register application with a sclection term,” but without probable cause ог a warrant—collected, 
not merely metadata from a targct's phone calls, but also “post-cut-through digits” dialcd after a 


anticipate or name in a warrant application.”) (emphasis added); id. at 667 (“[W]hen an officer executing a lawful 
search or electronic surveillance warrant, or otherwise engaged in a lawful search, comes upon evidence of a 
previously unsuspected crime, or leams of the involvement of a previously unsuspected individual, the officer is not 
required to stop and obtain a new warrant to seize the item or to continue monitoring the phone linc for which the 
warrant was obtained.”) (emphasis added). 


? (U) Id. at 665. 

** (U) Id. at 665-66 (emphasis added). 
*! (U) Id. at 666. 

*5 (U) 843 F.3d at 440. 


‘6 (U) Zd. at 440-41 (citation and quotation marks omitted) (quoting United States v. Hasbajrami, 11-СВ-623 (JG), 
2016 WL 1029500, at *9 (E.D.N.Y. Mar. 8, 2016)). For similar language from the FISCR, see Ја re Directives 551 
F.3d at 1015 (“It is settled beyond peradventure that incidental collections occurring as a result of constitutionally 
permissible acquisitions do not render those acquisitions unlawful. The government assures us that it does not 
maintain a database of incidentally collected information from non-targctcd United States persons. On these facts, 
incidentally collected communications of non-targeted United States persons do not violate the Fourth 
Amendment.”) (emphasis added). 
47 (U) 858 F.3d 591 (FISA Ct. Rev. 2016). 
48 (U) Id. at 605. 
39 (0) See 50 U.S.C. $ 1842(с)(3). 
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call was connected, which the Court classified as “content” information for purposes of the 
Fourth Amendment. The FISCR held that the collection of the post-cut-through Higits was 
incidental to the collection of the metadata and, hence, constitutionally permissible. In doing зод 
the FISCR necessarily reasoned that the constitutionality of incidental collection docs not hinge 4 4 
on the existence of a warrant supported by probable cause? 


X 


(U) And the FISC has also reasoned similarly in a 2011 opinion by Jutige Bates?! In ар 
opinion, the FISC observed that it was addressing а factual scenario somewhat different from the} 
standard “incidental collection” paradigm. It observed that, in the scenario before it, “the БЫ 
incidental acquisitions of concern are not direct communications between a/non-target third party 
and the user of the targeted facility,” nor “are they the communications of fion-targets that refer? H 
directly to a targeted sclector.”*” Instead, the issue at hand before the FISE concemed . 
communications “acquired simply because they appear somewhere in the-same /ransaction as a» 
separate communication that is to, from, or about the targeted facility.” The FISC observed 
that “[t]he distinction is significant and impacts the Fourth Amendment Dalancing."* 
Ultimately, the FISC treated this "distinction" as a factor relevant to the balancing approach 
applied undcr the Fourth Amendment’s Reasonableness Clause.” . 


брат аы an а 


CSS RE 


(discussing incidental versus inadvertent collection). 
3! (U) [Redacted], 2011 WL 10945618 {FISC Oct. 3, 2011) (“2077 Bates Opinion"). 

€ (U) 2011 Bates Opinion at *27. 

э (U) Jd. As the FISC observed, the NSA acquired the transaction "because it lack|ed] the technical means to limit 
collection only to the discrete portion or portions . . . that contain a reference to the targeted selector." Jd. at *26. 


м (U) 2011 Bates Opinion at *27. Specifically, the FISC observed that "[a] discrete communication as to which the 
user of the targeted facility is a party or in which the targeted facility is mentioned is much more likely to contain 
foreign intelligence information than is a separate communication that is acquired simply because it happens to be 
within the same transaction as a communication involving a targeted facility." Jd. 


55 (U) 2011 Bates Opinion at *27-28. 
10 
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(Бане) For the reasons given above, I believe that the principle of “incidental” 
collection ——— ——————— applies in the context of XKEYSCORE. 
First, as a conceptual matter, it is most plausible to consider “incidental collection” or “incidental 


overhear” as an outgrowth of the “plain view” doctrine. When the government has the authority 
to conduct particular surveillance—be it a result of a valid wiretap 


a pen register, or some other 


TIPP 


(b) (1) 

(b) (3)-18 UsC 798 

(b) (3) -50 USC 3024(i) 
(р) (3) -P.L. 86-36 

(5) (5) 
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aspect of the Fourth Amendment—collection of other, non-targeted persons may occur in the 
normal course as a matter of plain view. Second, as Judge Bates reasoned in his opinion for the 
FISC, the concept of “inadvertent” collection has important ramifications for the Fourth 
Amendment calculus, but those consequences scem best addressed in the analysis of a program's 
reasonableness, rather than by denying application of the incidental collection doctrine 
altogether. Indeed, Judge Lynch’s discussion of “inadvertent collection” in Hasbajrami can be 
read to be consistent with this perspective.” Thus, though the issuc is a challenging one with 
which various jurists have grappled in recent years, the better view is that the incidental 
collection doctrine is applicable in this context. 


(TS/7ST/REL) Assuming that the “incidental collection” concept applies under these 
circumstances, such collection must fall within the ambit of, or be “incidental” to, the collection 
of some communications pursuant to an exception to the Warrant Clause of the Fourth 
Amendment. There appear to be two possible exceptions—the extraterritorial exception and the 
foreign intelligence exception—that might be applicable to the type of collection at issuc here. I 
address the two in turn. The application of cither one of these two exceptions would mean that 
the collection and analysis at issue in XKEYSCORE would remain subject to the 
Reasonableness Clause. 


CFSHSHANE) Extraterritoriality. I have already discussed the extraterritorial exception to 
the Fourth Amendment addressed in Verdugo-Urquidez, which applies to an overseas search of a. 
non-U.S. person.” As I explained, Verdugo-Urquidez did not address the appropriate analysis * 
when an overseas search of a non-U.S. person results in incidental collection of U.S.:person а 
communications. Since the Court’s decision in Verdugo-Urquidez, several courts have . 
addressed that factual scenario, holding that the Warrant Clause does not a erri 5 
to the searches of U.S. persons, but that the Reasonableness Clause does.“ 


9 (U) In this respect, an analogy can be drawn between “inadvertent collection" and the “apparent authority” 
doctrine of Fourth Amendment law, which assesses for Fourth Amendment reasonableness government actions 
reasonably taken on information that later proved incorrect. See Orin S. Kerr, The Fourth Amendment and the 
Global Internet, 67 STAN, L. REV. 285, 309 (2015) (citing ///inois v. Rodriguez, 497 U.S. 177, 179-80 (1990), and 
reasoning that "[t]he analogy between apparent authority and unknown Verdugo-Urquidez status should be clear"). 


8 (U) See supra Part II. 


*! (U) In addition to the cases discussed in the text, see United States v. Barona, 56 F.3d 1087, 1094-95 (9th Cir. 
1995), and United States v. Peterson, 812 F.2d 486, 490 (9th Cir. 1987). In both cases, the court determined that 
when American officials partner with foreign law enforcement officers in a "joint venture" to conduct a search of an 
American, the search must be reasonable under the Fourth Amendment. The opinions did not expressly address the 
warrant requirement, but neither required the government to obtain a U.S warrant for such a search. 


65 (U) А 1976 district court decision, Berlin Democratic Club v. Rumsfeld, held that prior judicial authorization by а 

U.S. magistrate was required, but in a very unusual situation. 410 F. Supp. 144 (D.D.C. 1976). That case involved 

a provision of West Germany's G-10 law, which governs telecommunications intercepts, that allowed U.S. officials 

to request that (he West German government conduct wiretaps where necessary to protect occupying NATO forces. 
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(U) In In re Terrorist Bombings of U.S. Embassies in East Africa, the Second Circuit 
addressed how the Fourth Amendment applies to telephone wiretaps and physical searehes 
targeting a U.S. citizen residing in Kenya.“ The court held that “the Fourth Amendment’s 
Warrant Clause has no extraterritorial application”; instead, “foreign scarches of U.S. citizens 
conducted by U.S. agents are subject only to the Fourth Amendment's requirement of 
reasonableness."? Judge Cabranes's opinion explained that the Court had found no historical 
evidence in support of requiring U.S. warrants to conduct an overseas search and quoted the 
Supreme Court's statement in Verdugo Urquidez that “[w]hat we know of the history of the 
drafting of the Fourth Amendment . . . suggests that its purpose was to restrict searches and 
seizures which might be conducted by the United States in domestic matters.” 


(U) In United States v. Stokes, the Seventh Circuit considered a Fourth Amendment 
challenge to the use of evidence found in a raid, conducted jointly by U.S. government and Thai 
authorities, of an American citizen’s residence in Thailand.” The Seventh Circuit adopted Judge 
Cabranes’s reasoning and held that “the Fourth Amendment’s warrant requirement, and by 
extension the strictures of the Warrant Clause, do not apply to extraterritorial scarchcs by U.S. 
agents.””! Instead, “the scarch of Stokes’s home in Thailand [was] governed by thc 
Amendment’s basic requirement of reasonableness.”” 


(U) Recent court of appeals cases decided in the context of Section 702 have squarely 
held that the target's location and status, rather than the collection device’s location, is 
controlling for application of the extraterritorial exception for Fourth Amendment purposes. 
That approach seems consistent with Chief Justice Rehnquist’s view in Verdugo-Urquidez that 
the “available historical data show . . . that the purpose of the Fourth Amendment was to protect 
the people of the United States against arbitrary action by their own Government; it was never 
suggested that the provision was intended to restrain the actions of the Fedcral Government 


The court held that the warrant requirement applied to а U.S. Anny request to surveil U.S. citizens who were 
effectively domestic political activists, cven though they were located overseas. That ease, even assuming that it 
was correctly decided, is best seen as sui generis, in view of two unusual features. First, the surveillance, though 
conducted abroad, targeted activities by U.S. citizens that related to inherently domestic political issues. Second, 
the United States wielded quasi-sovereign authority in Berlin during the decades-long Allied occupation of that 
city—authority reflected in the unusual provision of the G-10 law. 


(U) In Best v. United States, 184 F.2d 131 (1st Cir. 1950), the First Circuit held that a warrant was not required fora 
search conducted by the military “in the early months of the military occupation of Austria," 7d. at 139, However, 
it suggested in dicta that a warrant would be required for FBI agents investigating a federal crime to seareh the 
dwelling in Germany of a U.S. citizen working in a civilian capacity for the U.S. government. /d. at 138. 


% (U) 552 F.3d 157 (2d Cir. 2008). 

67 (U) Jd. at 171. 

68 (U) Jd. at 169 (quoting 494 U.S. at 266 (alterations in original). 
6 (U) 726 F.3d 880 (7th Cir. 2013). 


7 (U) Id. at 885-86. Stokes involved a U.S. citizen, residing in Thailand, who was suspected of sexually exploiting 
children. /d. The U.S. and Thai governments conducted a joint raid of the defendant's home pursuant to a Thai 
scarch warrant, which uncovered voluminous evidence of his guilt. /d. at 886. 


71 (U) Jd. a1 893. The defendant had argued that the Thai warrant failed the Fourth Amendment's requirement of 
particularity and that “the scarch exceeded the scope of the warrant.” Id. at 891. 


7? (U) Id. at 893. 
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against aliens outside of the United States territory.” The Second Circuit in Hasbajrami held 
that “а person who does not have a Fourth Amendment-protected privacy interest in his 
communications, such as a foreign national resident abroad, does not acquire such an interest by 
reason of the physical location of the intercepting device.”” The Ninth Circuit іп Mohamud 
reasoned that “what matters herc is the location of the /arge/, and not where the government 
literally obtained the electronic data.” 


(U) Although this theory has yet to be expressly adopted by the Supreme Court, at least 
as the law currently stands, the implications from Chicf Justice Rchnquist’s opinion in Verdugo- 
Urquidez and the holdings in Hasbajrami and Mohamud indicate that the application of the 
extraterritorial exception depends on the nature of the communications intercepted, as opposed to 
the location of the intercepting device. The Fourth Amendment's backstop requirement of 
reasonableness still applics. 


2. 


(U) Foreign intelligence. The Supreme Court has left open the possibility that the Fourth 
Amendment may require different “safeguards” in the national sccurity context than in ordinary 
criminal cases.” Based on such language, lowcr courts, including the Forcign Intelligence 
Surveillance Court of Review, have embraced a “foreign intelligence” exception to the Fourth 
Amendment’s warrant requirement.” These courts have held that foreign-intelligence searches 
must satisfy the Fourth Amendment requirement of reasonableness, rather than the usual 
requirement that thc govemmment obtain probable cause and a warrant. 


(U) The Foreign Intelligence Surveillance Court of Review has explained current 
doctrine in the following manner: 
7 (U) 494 U.S. al 266. 
4 (U) 945 F.3d at 665; id. at 664 (rejecting the argument that “Verdugo-Urquidez does not control the outcome here 
because Section 702 collection occurs in the United States”). The Second Circuit explained that "/a/! least where 
the communication is collected essentially in real time as И occurs, the targeted communication .. . occurs in the 


relevant sense where the person whose calls or e-mails are being intcrcepted is located, regardless of the location of 
the means used 10 intercept it.” Zd. (emphasis added). 


ТУКА) Mohanud, 843 F.3d at 439 (quotation marks omitted) (quoting Hasbajrami, 2016 WL 1029500, at 
*9 n.15) (rejecting the defendant's argument that “under Verdugo-Urquidez, the location of the search matters, and 
that here, the searches took place in the United States”); see also DAVID KRIS & J, DOUGLAS WILSON, NATIONAL 
SECURITY INVESTIGATIONS & PROSECUTIONS $ 17:3 (2016) (“For non-U.S. person targets, there is no probable- 
cause requirement; the only thing that matters is .. . the government's reasonable belief about . . . the target's 
location"). Thus, with respect to the type of collection at issue in the XKEYSCORE context, the location of the 
device is not dispositive. 


75 (U) Katz, 389 U.S. at 358 n.23; United States v. U.S. Dist. Court for E. Dist. of Mich., 407 U.S. 297, 308-09 & n& 
(1972). ај "s 
77 (0) See In re Directives, 551 F.3d at 1010; Truong, 629 F.2d at 915; accord Butenko, 494 F.2d at 605; Brown, 484 "n Я 
F.2d at 426. 
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When law enforcement officials undertake a search to uncover evidence of 
criminal wrongdoing, the familiar requirement of a probable-cause warrant 
generally achieves an acceptable balance between the investigative nceds of the 
government and the privacy interests of the people. But it has long been 
recognized that some searches occur in the service of "special needs, beyond the 
normal need for law enforcement," and that, when it comes to intrusions of this 
kind, the warrant requirement is somctimes a poor proxy for the textual command 


of reasonableness. 
(b) (3)-P.L. 86-36 


(b) (5) 


Ша this context, the warrant requirement is ill-suited to gauge whátis reasonable, 
The textual command of reasonableness— "the ultimate touchstone of the Fourth * , = 
Amendment,"—still governs. Indeed, it retains its whole foree.” . 


(U) Although lower court cases have embraced a foreign {йене exception'tothe — . 


On another view, the foreign-intelligence exception to,the Warrant Clause applies somewhat : 
more broadly. As the FISCR has put it, the “warrant requirement . . . fails properly to balance м 
the interests at stake when the government is instesid seeking to preserve and protect thg nation’s » 
security from foreign threat" rather than investigating criminal wrongdoing." Similarly, те 5 
Third and Fifth Circuits have suggested in dicta that the exception turns on the purpose ofthe  : 
government's action, and applies to activities whose purpose is "gathering foreign а 


intelligencce."*! d 


the ultimate question is whether the foreign 


(FSHSHAREL 


intelligence exception applies solety when government surveillance is “directed at a fareign 
power of agent of a foreign powér” or whether it also applies when government surveillance is 
conducted for a forcign-intelligence purpose, rather than the purpose of investigating ordinary 
crime. The daylight betwcori these two ways of formulating the standard may matter ia thc 
specific context of the coHection analyzed by XKEYSCORE, because such collectionis not 
necessarily “directed ага foreign power or agent of a foreign power.” For example, Ше law at 
issue in n re Directives permitted warrantless collection targeting a particular, known non-U.S 
person located overseas." The uses of XKEYSCORE the Board has ри in M Bonon do: 


not involve collecting the communications of a specific, targeted person; 


*8(U) In re Се ^erlifi ied Question of Law, 858 F.3d 591, 605, 607 (FISA Ct. Rev. 2016) (citations omitted) (first 
quoting Vernonia Sch. Dist. 47J v. Acton, 515 U.S. 646, 653 (1995); and then quoting Riley v. Califorifia, 573 
373,381 доц 
79 (ТӨТЕ ) 


ceo In re Certified Question of Law, 858 F.3d at 593 (emphasis added); 


8! (U) Butenko, 494 F.2d at 605; Brown, 484 F.2d at 426. 
(b) (1) 


8 (U) 551 F.3d at 1007. 
15 (b) (3)-18 UsC 798 
(b) (3)-50 USC 3024(i) 


(b) (3)-P.L. 86-36 
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(FSHSHANF) That programmatic purpose is consistent with Executive Order 12,333, 
which does not limit the universe of information that can be collected by intelligence agencies to 
information about foreign powers or their agents." Accordingly, NSA procedures permit 
officers to target non-U.S. persons who possess, or arc likely to possess, “foreign intelligence 
information,” whether or not they work for or on behalf of a forcign power." 


€FSHSHANF) That programmatic purpose is also somewhat akin to the purpose behind the 

surveillance authorized under Section 702 of FISA. As the Supreme Court has observed, 
“(uJnlike traditional FISA surveillance, [Section 702] docs not require thc Government to 
demonstrate probable cause that the target of the clectronic surveillance is a foreign power or 
[an] agent of a foreign power." Instead, under Section 702, on “the issuance of an order" by 
the FISC, “the Attorney General and the Director of National Intelligence may authorize jointly 

. thc targeting of persons reasonably belicved to be located outside the United States to acquire 
foreign intelligence information."** 


(FS SE7R-EE) It is possible that the narrower conception of the foreign-intelligence 
exception аса in some precedents—which would limit foreign intelligence collection to 


forci 


(b) (3)-P.L. 86-36 


2 — я (b) (5) 
83 (U) Executive Order No. 12,333 $ 3.5(c). vt 
* (ОГЫ) See USSID SP0018, as discussed iu Part IV.B of the Board’s.Repoht. di A 
55 (U) Clapper v. Amnesty Int'l USA, 568 U.S. 398, 404 (20133.* " Es E 
зе (U) 50 U.S.C. 8 1881a(a). FISA defjnes“fotcign intelligence information" in 50 U.S.C. 8 1801(c). И 


8 (U) Jd. In In re Directives, ће FISCR addressed a situation where the surveillance took place in the United 
States, but the target was located overscas. The FISCR fonnulated its holding in terms of those facts: *[W]e hold 
that a foreign intelligence exception to the Fourth Amendment's warrant requirement exists when surveillance is 
conducted to obtain foreign intelligence for national security purposes and is directed against foreign powers or 
agents of foreign powers reasonably believed to be located outside the United States." 551 F.3d at 1012. 
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(PSP SE"R-EE) Finally, assessing whether the collection and analysis that comprises * 
XKEYSCORE complies with the Fourth Amendment will, if all collection is properly within or 
“incidental” to the extraterritorial or foreign intelligence exceptions, be assešsed under the “the 
totality of the circumstances" test for reasonableness.” That“reasọnablenegs™ inquiry would’ 
depend in part оп the “privacy protecting measures,” such'as restyictions on-thẹ targeting of US. 
persons and measures to minimize the retention and dissemination of information about U.S. * 
persons in a manner consistent with mission need.” S JS 


(TSST/KET) Ultimately, this analysis likely turns on whether NSA adequately protect 
any U.S.-person communications processed by XKEYSCORE from misuse. The stronger the - 
safeguards applicable to Amcricans* communications—such as limits on gelection and retention» 
and other protections for U.S. persons—thc stronger the case for reasonableness. For example, . 
significantly lengthening Шоѓеетнопрноој“ — 7 —  — ——1 


would likely raise thetevel oflegal risk. || — 
Ьу contrast, would reduce such risk” 

exhaustively addressing each aspect of the program here, to my mind, the protections 
enumerated in the Board's Report and highlighted in the separate statement of Chairman Klein 


9 (U) Mohamud, 843 F.3d at 441; In re Terrorist Bombings, 552 F.3d at 172 (“To determine whether a search is 
reasonable under the Fourth Amendment, we examine the totality of the circumstances to balance, on the one hand, 
the degree to which it intrudes upon an individual's privacy and, on the other, the degree to which it is needed for 
the promotion of legitimate government interests.") (internal quotation marks omitted) (quoting Samson v. 
California, 547 U.S. 843, 848 (2006)). One question that can arise in litigation is whether the “reasonableness” of 
the program must be assessed at the time of the collection of information or whether the “reasonableness” of cach 
individual search qualifies as a Fourth Amendment episode. Courts have split on thís question. The district court in 
Mohamud concluded that the “subsequent querying of a 4 702 collection, even if U.S. person identifiers are used, is 
not a separate search and does not make $ 702 surveillance unreasonable under the Fourth Amendment." United 
States v. Mohamud, No. 3:10-cr-475-KI-1, 2014 WL 2866749, at *26 (D. Or. June 24, 2014), aff'd, 843 F.3d 420, 
440 n.24 (9th Cir. 2016) (explaining that the court was not resolving whether the "incidental overhear" concept 
permits the “retention and querying of the incidentally collected information"). The Second Circuit in Hasbajrami, 
however, concluded that "querying . . . stored data does have important Fourth Amendment implications, and those 
implications counsel in favor of considering querying a separate Fourth Amendment event that, in itself, must be 
reasonable." 945 F.3d at 670. Viewed from cither the perspective of Hasbajranii or the district court in Mohamud, 


the lesson to be derived from these cases is that back-end privacy protections on storage and querying can affect the 
“reasonableness” of a program. 


°° (U) Mohamud, 843 F.3d at 443; Hasbajrami, 945 F.3d at 655 (describing FISA's minimization procedures). 


?! (ФУНТИ) In considering the constitutionality of a government program that conducts many searches, the 
Supreme Court has analyzed the reasonableness of the entire program rather than of a particular search. See Mich. 
Dep't of State Police v. Sitz, 496 U.S. 444 (1990) (analyzing the reasonableness of Michigan’s program of drunk 
driving checkpoints); Nat’ Treasury Emps. Union v. Von Raab, 489 U.S. 656 (1989) (analyzing the reasonableness 
of the U.S. Customs Service’s drug-testing program for employees seeking sensitive positions); Skinner v. Ry. Labor 
Execs. Ass'n, 489 U.S. 602 (1989) (analyzing the reasonableness of a drug-testing program for railway employees); 
Bell v. Wolfish, 441 U.S. 520 (1979) (analyzing the reasonableness of a prison's practice of conducting body-cavity 
searches of any inmate who had just met with a visitor). 


do not aim to resolve that question here. 
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indicate that the NSA has a strong case for XKEYSCORE’s reasonableness on the present 
facts.” 


(FS, SE/REE) If the program evolves, so too may the reasonableness analysis. Thus, 
keeping the Board (and, as appropriate, other oversight entities) apprised of “changes to 
XKEYSCORE that could materially affect the privacy or civil liberties of US persons,” as we 
recommend in the accompanying Report, can help ensure sufficient scrutiny of changes that 
could affect the legal calculus. 


KK 


(U) When President Truman established the NSA in 1952, he announced in a then- 
classified memorandum that ће “COMINT mission of the National Security Agency (NSA) 
shall be to provide an effective unified organization and control of the communications 
intelligence activities of the United States conducted against foreign governments” and that the 
Nation's COMINT activities must “exploit to the maximum the available resources in all 
participating departments and agencies." When the Fourth Amendment was written, ratified, 
and incorporated into the Constitution in the cighteenth century, its authors sought to prohibit the 
federal government from engaging in “unreasonable searches and scizures” and from obtaining 
warrants other than in certain specified circumstances. The passage of decades has not made the 
harmonization of these two directives any easier, nor has it rendered either directive any less 
vital. I have offered the preceding thoughts and analysis in an cffort to ensure that the agency 
meets its obligations under both directives. 


92 (БЕНИ) To be sure, I do not arrive at a final conclusion on the Fourth Amendment reasonableness of the 
uses of XKEYSCORE addressed in the Board's Report. Such a conclusion would necessarily depend on a fact- 
intensive inquiry, including a review of the program's compliance record, which was not fully analyzed by the 
Board in its Report. Such a reasonableness analysis, thus, remains for the agency to conduct and for appropriate 
oversight entities (including the Board) to review in the future. 


% (U) Memorandum to the Secretary of State and the Secretary of Defense from Harry S. Truman, President of the 
United States, Communications Intelligence Activities 1, 5 (Oct. 24, 1952). 
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